search

wpscanteam / wpscan

WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. Contact us via contact@wpscan.com
https://wpscan.com/wordpress-cli-scanner
Other
8.54k stars 1.26k forks source link

bad username parser #1811

Closed okitry closed 11 months ago

okitry commented 11 months ago

I was doing some research on one CTF today and found that the parser had collected login data incorrectly:

[i] User(s) Identified: [+] jm3s

When I went manually to blog/?author=1 I saw "Author: j@m3s"

Then I tested on the wp-login.php login: jm3s - ERROR: Invalid username. j@m3s - ERROR: The password you entered for the username j@m3s is incorrect.

for some reason the parser truncated the "@" symbol

Your environment

alexsanford commented 11 months ago

Could you please confirm the output of /wp-json/wp/v2/users/?per_page=100&page=1?

When I do so, with a user on my site with username j@m3s, WordPress itself tells me that the username is jm3s, even though to log in I do need the @ character.

By default WordPress doesn't allow @ characters in usernames, so I had to manually edit the username in the DB in order to reproduce this. That said, it doesn't appear to be an issue with WPScan, but rather an issue with the way WP handles usernames with illegal characters in them.

Closing this as I believe it's an issue with WP, not WPScan, but feel free to reopen if I've misunderstood!